ID	F0010
Objective(s)	Persistence, Privilege Escalation
Related ATT&CK Techniques	Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006)
Version	2.1
Created	1 August 2019
Last Modified	12 June 2023

Kernel Modules and Extensions

Malware may use loadable kernel modules to persist on a system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. Malware may try to hide drivers or modules by creating them without a name.

See ATT&CK: Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006).

Methods

Name	ID	Description
Device Driver	F0010.001	Allows kernel to access hardware connected to the system.

Use in Malware

Name	Date	Method	Description
Drovorub	2020	--	Drovorub uses a kernel module rootkit for loading and for persistence. [1]

References

[1] https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

kernel-modules-and-extensions.md

kernel-modules-and-extensions.md

Kernel Modules and Extensions

Methods

Use in Malware

References

Files

kernel-modules-and-extensions.md

Latest commit

History

kernel-modules-and-extensions.md

File metadata and controls

Kernel Modules and Extensions

Methods

Use in Malware

References